pocketbase-zod-schema 0.2.3 → 0.2.4

package/dist/index.js

@@ -15,440 +15,6 @@ var StatusEnum = z.enum([
   "fail"
   // Failed project at any stage
 ]);
-var baseSchema = {
-  id: z.string().describe("unique id"),
-  collectionId: z.string().describe("collection id"),
-  collectionName: z.string().describe("collection name"),
-  expand: z.record(z.any()).describe("expandable fields"),
-  created: z.string().describe("creation timestamp"),
-  updated: z.string().describe("last update timestamp")
-};
-var baseSchemaWithTimestamps = {
-  ...baseSchema,
-  created: z.string().describe("creation timestamp"),
-  updated: z.string().describe("last update timestamp")
-};
-var baseImageFileSchema = {
-  ...baseSchema,
-  thumbnailURL: z.string().optional(),
-  imageFiles: z.array(z.string())
-};
-var inputImageFileSchema = {
-  imageFiles: z.array(z.instanceof(File))
-};
-var omitImageFilesSchema = {
-  imageFiles: true
-};
-function textField(options) {
-  let schema = z.string();
-  if (options?.min !== void 0) schema = schema.min(options.min);
-  if (options?.max !== void 0) schema = schema.max(options.max);
-  if (options?.pattern !== void 0) schema = schema.regex(options.pattern);
-  return schema;
-}
-function emailField() {
-  return z.string().email();
-}
-function urlField() {
-  return z.string().url();
-}
-function numberField(options) {
-  let schema = z.number();
-  if (options?.min !== void 0) schema = schema.min(options.min);
-  if (options?.max !== void 0) schema = schema.max(options.max);
-  return schema;
-}
-function boolField() {
-  return z.boolean();
-}
-function dateField() {
-  return z.date();
-}
-function selectField(values) {
-  return z.enum(values);
-}
-function jsonField(schema) {
-  return schema ?? z.record(z.any());
-}
-function fileField() {
-  return z.instanceof(File);
-}
-function filesField(options) {
-  let schema = z.array(z.instanceof(File));
-  if (options?.min !== void 0) schema = schema.min(options.min);
-  if (options?.max !== void 0) schema = schema.max(options.max);
-  return schema;
-}
-var RELATION_METADATA_KEY = "__pocketbase_relation__";
-function RelationField(config) {
-  const metadata = {
-    [RELATION_METADATA_KEY]: {
-      type: "single",
-      collection: config.collection,
-      cascadeDelete: config.cascadeDelete ?? false,
-      maxSelect: 1,
-      minSelect: 0
-    }
-  };
-  return z.string().describe(JSON.stringify(metadata));
-}
-function RelationsField(config) {
-  const metadata = {
-    [RELATION_METADATA_KEY]: {
-      type: "multiple",
-      collection: config.collection,
-      cascadeDelete: config.cascadeDelete ?? false,
-      maxSelect: config.maxSelect ?? 999,
-      minSelect: config.minSelect ?? 0
-    }
-  };
-  let schema = z.array(z.string());
-  if (config.minSelect !== void 0) {
-    schema = schema.min(config.minSelect);
-  }
-  if (config.maxSelect !== void 0) {
-    schema = schema.max(config.maxSelect);
-  }
-  return schema.describe(JSON.stringify(metadata));
-}
-function extractRelationMetadata(description) {
-  if (!description) return null;
-  try {
-    const parsed = JSON.parse(description);
-    if (parsed[RELATION_METADATA_KEY]) {
-      return parsed[RELATION_METADATA_KEY];
-    }
-  } catch {
-  }
-  return null;
-}
-function editorField() {
-  return z.string();
-}
-function geoPointField() {
-  return z.object({
-    lon: z.number(),
-    lat: z.number()
-  });
-}
-function withPermissions(schema, config) {
-  const metadata = {
-    permissions: config
-  };
-  return schema.describe(JSON.stringify(metadata));
-}
-function withIndexes(schema, indexes) {
-  let existingMetadata = {};
-  if (schema.description) {
-    try {
-      existingMetadata = JSON.parse(schema.description);
-    } catch {
-    }
-  }
-  const metadata = {
-    ...existingMetadata,
-    indexes
-  };
-  return schema.describe(JSON.stringify(metadata));
-}
-function defineCollection(config) {
-  const { collectionName, schema, permissions, indexes, type, ...futureOptions } = config;
-  const metadata = {
-    collectionName
-  };
-  if (type) {
-    metadata.type = type;
-  }
-  if (permissions) {
-    metadata.permissions = permissions;
-  }
-  if (indexes) {
-    metadata.indexes = indexes;
-  }
-  if (Object.keys(futureOptions).length > 0) {
-    Object.assign(metadata, futureOptions);
-  }
-  return schema.describe(JSON.stringify(metadata));
-}
-
-// src/utils/permission-templates.ts
-var PermissionTemplates = {
-  /**
-   * Public access - anyone can perform all operations
-   */
-  public: () => ({
-    listRule: "",
-    viewRule: "",
-    createRule: "",
-    updateRule: "",
-    deleteRule: ""
-  }),
-  /**
-   * Authenticated users only - requires valid authentication for all operations
-   */
-  authenticated: () => ({
-    listRule: '@request.auth.id != ""',
-    viewRule: '@request.auth.id != ""',
-    createRule: '@request.auth.id != ""',
-    updateRule: '@request.auth.id != ""',
-    deleteRule: '@request.auth.id != ""'
-  }),
-  /**
-   * Owner-only access - users can only manage their own records
-   * @param ownerField - Name of the relation field pointing to user (default: 'User')
-   */
-  ownerOnly: (ownerField = "User") => ({
-    listRule: `@request.auth.id != "" && ${ownerField} = @request.auth.id`,
-    viewRule: `@request.auth.id != "" && ${ownerField} = @request.auth.id`,
-    createRule: '@request.auth.id != ""',
-    updateRule: `@request.auth.id != "" && ${ownerField} = @request.auth.id`,
-    deleteRule: `@request.auth.id != "" && ${ownerField} = @request.auth.id`
-  }),
-  /**
-   * Admin/superuser only access
-   * Assumes a 'role' field exists with 'admin' value
-   * @param roleField - Name of the role field (default: 'role')
-   */
-  adminOnly: (roleField = "role") => ({
-    listRule: `@request.auth.id != "" && @request.auth.${roleField} = "admin"`,
-    viewRule: `@request.auth.id != "" && @request.auth.${roleField} = "admin"`,
-    createRule: `@request.auth.id != "" && @request.auth.${roleField} = "admin"`,
-    updateRule: `@request.auth.id != "" && @request.auth.${roleField} = "admin"`,
-    deleteRule: `@request.auth.id != "" && @request.auth.${roleField} = "admin"`
-  }),
-  /**
-   * Public read, authenticated write
-   * Anyone can list/view, but only authenticated users can create/update/delete
-   */
-  readPublic: () => ({
-    listRule: "",
-    viewRule: "",
-    createRule: '@request.auth.id != ""',
-    updateRule: '@request.auth.id != ""',
-    deleteRule: '@request.auth.id != ""'
-  }),
-  /**
-   * Locked access - only superusers can perform operations
-   * All rules are set to null (locked)
-   */
-  locked: () => ({
-    listRule: null,
-    viewRule: null,
-    createRule: null,
-    updateRule: null,
-    deleteRule: null
-  }),
-  /**
-   * Read-only authenticated - authenticated users can read, no write access
-   */
-  readOnlyAuthenticated: () => ({
-    listRule: '@request.auth.id != ""',
-    viewRule: '@request.auth.id != ""',
-    createRule: null,
-    updateRule: null,
-    deleteRule: null
-  })
-};
-function resolveTemplate(config) {
-  let baseRules;
-  switch (config.template) {
-    case "public":
-      baseRules = PermissionTemplates.public();
-      break;
-    case "authenticated":
-      baseRules = PermissionTemplates.authenticated();
-      break;
-    case "owner-only":
-      baseRules = PermissionTemplates.ownerOnly(config.ownerField);
-      break;
-    case "admin-only":
-      baseRules = PermissionTemplates.adminOnly(config.roleField);
-      break;
-    case "read-public":
-      baseRules = PermissionTemplates.readPublic();
-      break;
-    case "custom":
-      baseRules = {};
-      break;
-    default: {
-      const _exhaustive = config.template;
-      throw new Error(`Unknown template type: ${_exhaustive}`);
-    }
-  }
-  return {
-    ...baseRules,
-    ...config.customRules
-  };
-}
-function isTemplateConfig(config) {
-  return "template" in config;
-}
-function isPermissionSchema(config) {
-  return "listRule" in config || "viewRule" in config || "createRule" in config || "updateRule" in config || "deleteRule" in config || "manageRule" in config;
-}
-function validatePermissionConfig(config, isAuthCollection2 = false) {
-  const result = {
-    valid: true,
-    errors: [],
-    warnings: []
-  };
-  let permissions;
-  if (isTemplateConfig(config)) {
-    if (config.template === "owner-only" && !config.ownerField) {
-      result.warnings.push("owner-only template without ownerField specified - using default 'User'");
-    }
-    if (config.template === "admin-only" && !config.roleField) {
-      result.warnings.push("admin-only template without roleField specified - using default 'role'");
-    }
-    permissions = resolveTemplate(config);
-  } else {
-    permissions = config;
-  }
-  if (permissions.manageRule !== void 0 && !isAuthCollection2) {
-    result.errors.push("manageRule is only valid for auth collections");
-    result.valid = false;
-  }
-  const ruleTypes = ["listRule", "viewRule", "createRule", "updateRule", "deleteRule"];
-  if (isAuthCollection2) {
-    ruleTypes.push("manageRule");
-  }
-  for (const ruleType of ruleTypes) {
-    const rule = permissions[ruleType];
-    if (rule !== void 0 && rule !== null && rule !== "") {
-      const ruleValidation = validateRuleExpression(rule);
-      if (!ruleValidation.valid) {
-        result.errors.push(`${ruleType}: ${ruleValidation.errors.join(", ")}`);
-        result.valid = false;
-      }
-      result.warnings.push(...ruleValidation.warnings.map((w) => `${ruleType}: ${w}`));
-    }
-  }
-  return result;
-}
-function validateRuleExpression(expression) {
-  const result = {
-    valid: true,
-    errors: [],
-    warnings: []
-  };
-  if (expression === null || expression === "") {
-    return result;
-  }
-  let parenCount = 0;
-  for (const char of expression) {
-    if (char === "(") parenCount++;
-    if (char === ")") parenCount--;
-    if (parenCount < 0) {
-      result.errors.push("Unbalanced parentheses");
-      result.valid = false;
-      return result;
-    }
-  }
-  if (parenCount !== 0) {
-    result.errors.push("Unbalanced parentheses");
-    result.valid = false;
-  }
-  if (expression.includes("==")) {
-    result.warnings.push("Use '=' instead of '==' for equality comparison");
-  }
-  const requestRefs = expression.match(/@request\.[a-zA-Z_][a-zA-Z0-9_.]*/g) || [];
-  for (const ref of requestRefs) {
-    const isValid = ref.startsWith("@request.auth.") || ref === "@request.method" || ref === "@request.context" || ref.startsWith("@request.body.") || ref.startsWith("@request.query.") || ref.startsWith("@request.headers.");
-    if (!isValid) {
-      result.errors.push(`Invalid @request reference: '${ref}'`);
-      result.valid = false;
-    }
-  }
-  return result;
-}
-function createPermissions(permissions) {
-  return {
-    listRule: permissions.listRule ?? null,
-    viewRule: permissions.viewRule ?? null,
-    createRule: permissions.createRule ?? null,
-    updateRule: permissions.updateRule ?? null,
-    deleteRule: permissions.deleteRule ?? null,
-    manageRule: permissions.manageRule ?? null
-  };
-}
-function mergePermissions(...schemas) {
-  const merged = {
-    listRule: null,
-    viewRule: null,
-    createRule: null,
-    updateRule: null,
-    deleteRule: null,
-    manageRule: null
-  };
-  for (const schema of schemas) {
-    if (schema.listRule !== void 0) merged.listRule = schema.listRule;
-    if (schema.viewRule !== void 0) merged.viewRule = schema.viewRule;
-    if (schema.createRule !== void 0) merged.createRule = schema.createRule;
-    if (schema.updateRule !== void 0) merged.updateRule = schema.updateRule;
-    if (schema.deleteRule !== void 0) merged.deleteRule = schema.deleteRule;
-    if (schema.manageRule !== void 0) merged.manageRule = schema.manageRule;
-  }
-  return merged;
-}
-var ProjectInputSchema = z.object({
-  // Required fields
-  title: z.string(),
-  content: z.string(),
-  status: StatusEnum,
-  summary: z.string().optional(),
-  OwnerUser: RelationField({ collection: "Users" }),
-  SubscriberUsers: RelationsField({ collection: "Users" })
-}).extend(inputImageFileSchema);
-var ProjectSchema = ProjectInputSchema.omit(omitImageFilesSchema).extend(baseImageFileSchema);
-var ProjectCollection = defineCollection({
-  collectionName: "Projects",
-  schema: ProjectSchema,
-  permissions: {
-    template: "owner-only",
-    ownerField: "OwnerUser",
-    customRules: {
-      listRule: '@request.auth.id != ""',
-      viewRule: '@request.auth.id != "" && (OwnerUser = @request.auth.id || SubscriberUsers ?= @request.auth.id)'
-    }
-  }
-});
-var UserInputSchema = z.object({
-  name: z.string().optional(),
-  email: z.string().email(),
-  password: z.string().min(8, "Password must be at least 8 characters"),
-  passwordConfirm: z.string(),
-  avatar: z.instanceof(File).optional()
-});
-var UserCollectionSchema = z.object({
-  name: z.string().optional(),
-  email: z.string().email(),
-  password: z.string().min(8, "Password must be at least 8 characters"),
-  avatar: z.instanceof(File).optional()
-});
-var UserSchema = UserCollectionSchema.extend(baseSchema);
-var UserCollection = defineCollection({
-  collectionName: "users",
-  type: "auth",
-  schema: UserSchema,
-  permissions: {
-    // Users can list their own profile
-    listRule: "id = @request.auth.id",
-    // Users can view their own profile
-    viewRule: "id = @request.auth.id",
-    // Anyone can create an account (sign up)
-    createRule: "",
-    // Users can only update their own profile
-    updateRule: "id = @request.auth.id",
-    // Users can only delete their own account
-    deleteRule: "id = @request.auth.id"
-    // manageRule is null in PocketBase default (not set)
-  },
-  indexes: [
-    // PocketBase's default indexes for auth collections
-    "CREATE UNIQUE INDEX `idx_tokenKey__pb_users_auth_` ON `users` (`tokenKey`)",
-    "CREATE UNIQUE INDEX `idx_email__pb_users_auth_` ON `users` (`email`) WHERE `email` != ''"
-  ]
-});
 var BaseMutator = class {
   pb;
   // Define a default property that subclasses will override
@@ -721,78 +287,436 @@ var BaseMutator = class {
     throw error;
   }
   /**
-   * Check if an error is a "not found" error
+   * Check if an error is a "not found" error
+   */
+  isNotFoundError(error) {
+    return error instanceof Error && (error.message.includes("404") || error.message.toLowerCase().includes("not found"));
+  }
+  /**
+   * Standard error handling wrapper (legacy method, consider using handleError instead)
+   */
+  errorWrapper(error) {
+    console.error(`Error in ${this.constructor.name}:`, error);
+    throw error;
+  }
+  /**
+   * Subscribe to changes on a specific record
+   * @param id The ID of the record to subscribe to
+   * @param callback Function to call when changes occur
+   * @param expand Optional expand parameters
+   * @returns Promise that resolves to an unsubscribe function
+   */
+  async subscribeToRecord(id, callback, expand) {
+    const finalExpand = this.prepareExpand(expand);
+    const options = finalExpand ? { expand: finalExpand } : {};
+    return this.getCollection().subscribe(id, callback, options);
+  }
+  /**
+   * Subscribe to changes on the entire collection
+   * @param callback Function to call when changes occur
+   * @param expand Optional expand parameters
+   * @returns Promise that resolves to an unsubscribe function
+   */
+  async subscribeToCollection(callback, expand) {
+    const finalExpand = this.prepareExpand(expand);
+    const options = finalExpand ? { expand: finalExpand } : {};
+    return this.getCollection().subscribe("*", callback, options);
+  }
+  /**
+   * Unsubscribe from a specific record's changes
+   * @param id The ID of the record to unsubscribe from
+   */
+  unsubscribeFromRecord(id) {
+    this.getCollection().unsubscribe(id);
+  }
+  /**
+   * Unsubscribe from collection-wide changes
+   */
+  unsubscribeFromCollection() {
+    this.getCollection().unsubscribe("*");
+  }
+  /**
+   * Unsubscribe from all subscriptions in this collection
+   */
+  unsubscribeAll() {
+    this.getCollection().unsubscribe();
+  }
+};
+var baseSchema = {
+  id: z.string().describe("unique id"),
+  collectionId: z.string().describe("collection id"),
+  collectionName: z.string().describe("collection name"),
+  expand: z.record(z.any()).describe("expandable fields"),
+  created: z.string().describe("creation timestamp"),
+  updated: z.string().describe("last update timestamp")
+};
+var baseSchemaWithTimestamps = {
+  ...baseSchema,
+  created: z.string().describe("creation timestamp"),
+  updated: z.string().describe("last update timestamp")
+};
+var baseImageFileSchema = {
+  ...baseSchema,
+  thumbnailURL: z.string().optional(),
+  imageFiles: z.array(z.string())
+};
+var inputImageFileSchema = {
+  imageFiles: z.array(z.instanceof(File))
+};
+var omitImageFilesSchema = {
+  imageFiles: true
+};
+function textField(options) {
+  let schema = z.string();
+  if (options?.min !== void 0) schema = schema.min(options.min);
+  if (options?.max !== void 0) schema = schema.max(options.max);
+  if (options?.pattern !== void 0) schema = schema.regex(options.pattern);
+  return schema;
+}
+function emailField() {
+  return z.string().email();
+}
+function urlField() {
+  return z.string().url();
+}
+function numberField(options) {
+  let schema = z.number();
+  if (options?.min !== void 0) schema = schema.min(options.min);
+  if (options?.max !== void 0) schema = schema.max(options.max);
+  return schema;
+}
+function boolField() {
+  return z.boolean();
+}
+function dateField() {
+  return z.date();
+}
+function selectField(values) {
+  return z.enum(values);
+}
+function jsonField(schema) {
+  return schema ?? z.record(z.any());
+}
+function fileField() {
+  return z.instanceof(File);
+}
+function filesField(options) {
+  let schema = z.array(z.instanceof(File));
+  if (options?.min !== void 0) schema = schema.min(options.min);
+  if (options?.max !== void 0) schema = schema.max(options.max);
+  return schema;
+}
+var RELATION_METADATA_KEY = "__pocketbase_relation__";
+function RelationField(config) {
+  const metadata = {
+    [RELATION_METADATA_KEY]: {
+      type: "single",
+      collection: config.collection,
+      cascadeDelete: config.cascadeDelete ?? false,
+      maxSelect: 1,
+      minSelect: 0
+    }
+  };
+  return z.string().describe(JSON.stringify(metadata));
+}
+function RelationsField(config) {
+  const metadata = {
+    [RELATION_METADATA_KEY]: {
+      type: "multiple",
+      collection: config.collection,
+      cascadeDelete: config.cascadeDelete ?? false,
+      maxSelect: config.maxSelect ?? 999,
+      minSelect: config.minSelect ?? 0
+    }
+  };
+  let schema = z.array(z.string());
+  if (config.minSelect !== void 0) {
+    schema = schema.min(config.minSelect);
+  }
+  if (config.maxSelect !== void 0) {
+    schema = schema.max(config.maxSelect);
+  }
+  return schema.describe(JSON.stringify(metadata));
+}
+function extractRelationMetadata(description) {
+  if (!description) return null;
+  try {
+    const parsed = JSON.parse(description);
+    if (parsed[RELATION_METADATA_KEY]) {
+      return parsed[RELATION_METADATA_KEY];
+    }
+  } catch {
+  }
+  return null;
+}
+function editorField() {
+  return z.string();
+}
+function geoPointField() {
+  return z.object({
+    lon: z.number(),
+    lat: z.number()
+  });
+}
+function withPermissions(schema, config) {
+  const metadata = {
+    permissions: config
+  };
+  return schema.describe(JSON.stringify(metadata));
+}
+function withIndexes(schema, indexes) {
+  let existingMetadata = {};
+  if (schema.description) {
+    try {
+      existingMetadata = JSON.parse(schema.description);
+    } catch {
+    }
+  }
+  const metadata = {
+    ...existingMetadata,
+    indexes
+  };
+  return schema.describe(JSON.stringify(metadata));
+}
+function defineCollection(config) {
+  const { collectionName, schema, permissions, indexes, type, ...futureOptions } = config;
+  const metadata = {
+    collectionName
+  };
+  if (type) {
+    metadata.type = type;
+  }
+  if (permissions) {
+    metadata.permissions = permissions;
+  }
+  if (indexes) {
+    metadata.indexes = indexes;
+  }
+  if (Object.keys(futureOptions).length > 0) {
+    Object.assign(metadata, futureOptions);
+  }
+  return schema.describe(JSON.stringify(metadata));
+}
+
+// src/utils/permission-templates.ts
+var PermissionTemplates = {
+  /**
+   * Public access - anyone can perform all operations
    */
-  isNotFoundError(error) {
-    return error instanceof Error && (error.message.includes("404") || error.message.toLowerCase().includes("not found"));
-  }
+  public: () => ({
+    listRule: "",
+    viewRule: "",
+    createRule: "",
+    updateRule: "",
+    deleteRule: ""
+  }),
   /**
-   * Standard error handling wrapper (legacy method, consider using handleError instead)
+   * Authenticated users only - requires valid authentication for all operations
    */
-  errorWrapper(error) {
-    console.error(`Error in ${this.constructor.name}:`, error);
-    throw error;
-  }
+  authenticated: () => ({
+    listRule: '@request.auth.id != ""',
+    viewRule: '@request.auth.id != ""',
+    createRule: '@request.auth.id != ""',
+    updateRule: '@request.auth.id != ""',
+    deleteRule: '@request.auth.id != ""'
+  }),
   /**
-   * Subscribe to changes on a specific record
-   * @param id The ID of the record to subscribe to
-   * @param callback Function to call when changes occur
-   * @param expand Optional expand parameters
-   * @returns Promise that resolves to an unsubscribe function
+   * Owner-only access - users can only manage their own records
+   * @param ownerField - Name of the relation field pointing to user (default: 'User')
    */
-  async subscribeToRecord(id, callback, expand) {
-    const finalExpand = this.prepareExpand(expand);
-    const options = finalExpand ? { expand: finalExpand } : {};
-    return this.getCollection().subscribe(id, callback, options);
-  }
+  ownerOnly: (ownerField = "User") => ({
+    listRule: `@request.auth.id != "" && ${ownerField} = @request.auth.id`,
+    viewRule: `@request.auth.id != "" && ${ownerField} = @request.auth.id`,
+    createRule: '@request.auth.id != ""',
+    updateRule: `@request.auth.id != "" && ${ownerField} = @request.auth.id`,
+    deleteRule: `@request.auth.id != "" && ${ownerField} = @request.auth.id`
+  }),
   /**
-   * Subscribe to changes on the entire collection
-   * @param callback Function to call when changes occur
-   * @param expand Optional expand parameters
-   * @returns Promise that resolves to an unsubscribe function
+   * Admin/superuser only access
+   * Assumes a 'role' field exists with 'admin' value
+   * @param roleField - Name of the role field (default: 'role')
    */
-  async subscribeToCollection(callback, expand) {
-    const finalExpand = this.prepareExpand(expand);
-    const options = finalExpand ? { expand: finalExpand } : {};
-    return this.getCollection().subscribe("*", callback, options);
-  }
+  adminOnly: (roleField = "role") => ({
+    listRule: `@request.auth.id != "" && @request.auth.${roleField} = "admin"`,
+    viewRule: `@request.auth.id != "" && @request.auth.${roleField} = "admin"`,
+    createRule: `@request.auth.id != "" && @request.auth.${roleField} = "admin"`,
+    updateRule: `@request.auth.id != "" && @request.auth.${roleField} = "admin"`,
+    deleteRule: `@request.auth.id != "" && @request.auth.${roleField} = "admin"`
+  }),
   /**
-   * Unsubscribe from a specific record's changes
-   * @param id The ID of the record to unsubscribe from
+   * Public read, authenticated write
+   * Anyone can list/view, but only authenticated users can create/update/delete
    */
-  unsubscribeFromRecord(id) {
-    this.getCollection().unsubscribe(id);
-  }
+  readPublic: () => ({
+    listRule: "",
+    viewRule: "",
+    createRule: '@request.auth.id != ""',
+    updateRule: '@request.auth.id != ""',
+    deleteRule: '@request.auth.id != ""'
+  }),
   /**
-   * Unsubscribe from collection-wide changes
+   * Locked access - only superusers can perform operations
+   * All rules are set to null (locked)
    */
-  unsubscribeFromCollection() {
-    this.getCollection().unsubscribe("*");
-  }
+  locked: () => ({
+    listRule: null,
+    viewRule: null,
+    createRule: null,
+    updateRule: null,
+    deleteRule: null
+  }),
   /**
-   * Unsubscribe from all subscriptions in this collection
+   * Read-only authenticated - authenticated users can read, no write access
    */
-  unsubscribeAll() {
-    this.getCollection().unsubscribe();
-  }
+  readOnlyAuthenticated: () => ({
+    listRule: '@request.auth.id != ""',
+    viewRule: '@request.auth.id != ""',
+    createRule: null,
+    updateRule: null,
+    deleteRule: null
+  })
 };
-
-// src/mutator/userMutator.ts
-var UserMutator = class extends BaseMutator {
-  setDefaults() {
-    return {
-      expand: [],
-      filter: [],
-      sort: ["-updated"]
-    };
+function resolveTemplate(config) {
+  let baseRules;
+  switch (config.template) {
+    case "public":
+      baseRules = PermissionTemplates.public();
+      break;
+    case "authenticated":
+      baseRules = PermissionTemplates.authenticated();
+      break;
+    case "owner-only":
+      baseRules = PermissionTemplates.ownerOnly(config.ownerField);
+      break;
+    case "admin-only":
+      baseRules = PermissionTemplates.adminOnly(config.roleField);
+      break;
+    case "read-public":
+      baseRules = PermissionTemplates.readPublic();
+      break;
+    case "custom":
+      baseRules = {};
+      break;
+    default: {
+      const _exhaustive = config.template;
+      throw new Error(`Unknown template type: ${_exhaustive}`);
+    }
+  }
+  return {
+    ...baseRules,
+    ...config.customRules
+  };
+}
+function isTemplateConfig(config) {
+  return "template" in config;
+}
+function isPermissionSchema(config) {
+  return "listRule" in config || "viewRule" in config || "createRule" in config || "updateRule" in config || "deleteRule" in config || "manageRule" in config;
+}
+function validatePermissionConfig(config, isAuthCollection2 = false) {
+  const result = {
+    valid: true,
+    errors: [],
+    warnings: []
+  };
+  let permissions;
+  if (isTemplateConfig(config)) {
+    if (config.template === "owner-only" && !config.ownerField) {
+      result.warnings.push("owner-only template without ownerField specified - using default 'User'");
+    }
+    if (config.template === "admin-only" && !config.roleField) {
+      result.warnings.push("admin-only template without roleField specified - using default 'role'");
+    }
+    permissions = resolveTemplate(config);
+  } else {
+    permissions = config;
+  }
+  if (permissions.manageRule !== void 0 && !isAuthCollection2) {
+    result.errors.push("manageRule is only valid for auth collections");
+    result.valid = false;
   }
-  getCollection() {
-    return this.pb.collection("Users");
+  const ruleTypes = ["listRule", "viewRule", "createRule", "updateRule", "deleteRule"];
+  if (isAuthCollection2) {
+    ruleTypes.push("manageRule");
   }
-  async validateInput(input) {
-    return UserInputSchema.parse(input);
+  for (const ruleType of ruleTypes) {
+    const rule = permissions[ruleType];
+    if (rule !== void 0 && rule !== null && rule !== "") {
+      const ruleValidation = validateRuleExpression(rule);
+      if (!ruleValidation.valid) {
+        result.errors.push(`${ruleType}: ${ruleValidation.errors.join(", ")}`);
+        result.valid = false;
+      }
+      result.warnings.push(...ruleValidation.warnings.map((w) => `${ruleType}: ${w}`));
+    }
   }
-};
+  return result;
+}
+function validateRuleExpression(expression) {
+  const result = {
+    valid: true,
+    errors: [],
+    warnings: []
+  };
+  if (expression === null || expression === "") {
+    return result;
+  }
+  let parenCount = 0;
+  for (const char of expression) {
+    if (char === "(") parenCount++;
+    if (char === ")") parenCount--;
+    if (parenCount < 0) {
+      result.errors.push("Unbalanced parentheses");
+      result.valid = false;
+      return result;
+    }
+  }
+  if (parenCount !== 0) {
+    result.errors.push("Unbalanced parentheses");
+    result.valid = false;
+  }
+  if (expression.includes("==")) {
+    result.warnings.push("Use '=' instead of '==' for equality comparison");
+  }
+  const requestRefs = expression.match(/@request\.[a-zA-Z_][a-zA-Z0-9_.]*/g) || [];
+  for (const ref of requestRefs) {
+    const isValid = ref.startsWith("@request.auth.") || ref === "@request.method" || ref === "@request.context" || ref.startsWith("@request.body.") || ref.startsWith("@request.query.") || ref.startsWith("@request.headers.");
+    if (!isValid) {
+      result.errors.push(`Invalid @request reference: '${ref}'`);
+      result.valid = false;
+    }
+  }
+  return result;
+}
+function createPermissions(permissions) {
+  return {
+    listRule: permissions.listRule ?? null,
+    viewRule: permissions.viewRule ?? null,
+    createRule: permissions.createRule ?? null,
+    updateRule: permissions.updateRule ?? null,
+    deleteRule: permissions.deleteRule ?? null,
+    manageRule: permissions.manageRule ?? null
+  };
+}
+function mergePermissions(...schemas) {
+  const merged = {
+    listRule: null,
+    viewRule: null,
+    createRule: null,
+    updateRule: null,
+    deleteRule: null,
+    manageRule: null
+  };
+  for (const schema of schemas) {
+    if (schema.listRule !== void 0) merged.listRule = schema.listRule;
+    if (schema.viewRule !== void 0) merged.viewRule = schema.viewRule;
+    if (schema.createRule !== void 0) merged.createRule = schema.createRule;
+    if (schema.updateRule !== void 0) merged.updateRule = schema.updateRule;
+    if (schema.deleteRule !== void 0) merged.deleteRule = schema.deleteRule;
+    if (schema.manageRule !== void 0) merged.manageRule = schema.manageRule;
+  }
+  return merged;
+}
 
 // src/migration/errors.ts
 var MigrationError = class _MigrationError extends Error {
@@ -5319,6 +5243,6 @@ async function executeStatus(options) {
   }
 }
 
-export { CLIUsageError, ConfigurationError, DiffEngine, FIELD_TYPE_INFO, FileSystemError, MigrationError, MigrationGenerationError, MigrationGenerator, POCKETBASE_FIELD_TYPES, PermissionTemplates, ProjectCollection, ProjectInputSchema, ProjectSchema, RelationField, RelationsField, SchemaAnalyzer, SchemaParsingError, SnapshotError, SnapshotManager, StatusEnum, UserCollection, UserCollectionSchema, UserInputSchema, UserMutator, UserSchema, aggregateChanges, baseImageFileSchema, baseSchema, baseSchemaWithTimestamps, boolField, buildFieldDefinition, buildSchemaDefinition, categorizeChangesBySeverity, compare, compareFieldConstraints, compareFieldOptions, compareFieldTypes, comparePermissions, compareRelationConfigurations, convertPocketBaseMigration, convertZodSchemaToCollectionSchema, createMigrationFileStructure, createPermissions, dateField, defineCollection, detectDestructiveChanges, detectFieldChanges, discoverSchemaFiles, editorField, emailField, extractComprehensiveFieldOptions, extractFieldDefinitions, extractFieldOptions, extractIndexes, extractRelationMetadata, extractSchemaDefinitions, fileField, filesField, filterSystemCollections, findLatestSnapshot, findNewCollections, findNewFields, findRemovedCollections, findRemovedFields, formatChangeSummary, generate, generateChangeSummary, generateCollectionCreation, generateCollectionPermissions, generateCollectionRules, generateDownMigration, generateFieldAddition, generateFieldDefinitionObject, generateFieldDeletion, generateFieldModification, generateFieldsArray, generateIndexesArray, executeGenerate as generateMigration, generateMigrationDescription, generateMigrationFilename, generatePermissionUpdate, generateTimestamp, generateUpMigration, geoPointField, getArrayElementType, getCollectionNameFromFile, getDefaultValue, getFieldTypeInfo, getMaxSelect, executeStatus as getMigrationStatus, getMinSelect, getSnapshotPath, getSnapshotVersion, getUsersSystemFields, importSchemaModule, inputImageFileSchema, isArrayType, isAuthCollection, isEditorField, isFieldRequired, isFileFieldByName, isGeoPointType, isMultipleRelationField, isPermissionSchema, isRelationField, isSingleRelationField, isSystemCollection, isTemplateConfig, jsonField, loadBaseMigration, loadConfig, loadSnapshot, loadSnapshotIfExists, loadSnapshotWithMigrations, logError, logInfo, logSection, logSuccess, logWarning, mapZodArrayType, mapZodBooleanType, mapZodDateType, mapZodEnumType, mapZodNumberType, mapZodRecordType, mapZodStringType, mapZodTypeToPocketBase, matchCollectionsByName, matchFieldsByName, mergePermissions, mergeSnapshots, numberField, omitImageFilesSchema, parseSchemaFiles, pluralize, requiresForceFlag, resolveTargetCollection, resolveTemplate, saveSnapshot, selectField, selectSchemaForCollection, singularize, snapshotExists, textField, toCollectionName, unwrapZodType, urlField, validatePermissionConfig, validateRuleExpression, validateSnapshot, withIndexes, withPermissions, withProgress, writeMigrationFile };
+export { BaseMutator, CLIUsageError, ConfigurationError, DiffEngine, FIELD_TYPE_INFO, FileSystemError, MigrationError, MigrationGenerationError, MigrationGenerator, POCKETBASE_FIELD_TYPES, PermissionTemplates, RelationField, RelationsField, SchemaAnalyzer, SchemaParsingError, SnapshotError, SnapshotManager, StatusEnum, aggregateChanges, baseImageFileSchema, baseSchema, baseSchemaWithTimestamps, boolField, buildFieldDefinition, buildSchemaDefinition, categorizeChangesBySeverity, compare, compareFieldConstraints, compareFieldOptions, compareFieldTypes, comparePermissions, compareRelationConfigurations, convertPocketBaseMigration, convertZodSchemaToCollectionSchema, createMigrationFileStructure, createPermissions, dateField, defineCollection, detectDestructiveChanges, detectFieldChanges, discoverSchemaFiles, editorField, emailField, extractComprehensiveFieldOptions, extractFieldDefinitions, extractFieldOptions, extractIndexes, extractRelationMetadata, extractSchemaDefinitions, fileField, filesField, filterSystemCollections, findLatestSnapshot, findNewCollections, findNewFields, findRemovedCollections, findRemovedFields, formatChangeSummary, generate, generateChangeSummary, generateCollectionCreation, generateCollectionPermissions, generateCollectionRules, generateDownMigration, generateFieldAddition, generateFieldDefinitionObject, generateFieldDeletion, generateFieldModification, generateFieldsArray, generateIndexesArray, executeGenerate as generateMigration, generateMigrationDescription, generateMigrationFilename, generatePermissionUpdate, generateTimestamp, generateUpMigration, geoPointField, getArrayElementType, getCollectionNameFromFile, getDefaultValue, getFieldTypeInfo, getMaxSelect, executeStatus as getMigrationStatus, getMinSelect, getSnapshotPath, getSnapshotVersion, getUsersSystemFields, importSchemaModule, inputImageFileSchema, isArrayType, isAuthCollection, isEditorField, isFieldRequired, isFileFieldByName, isGeoPointType, isMultipleRelationField, isPermissionSchema, isRelationField, isSingleRelationField, isSystemCollection, isTemplateConfig, jsonField, loadBaseMigration, loadConfig, loadSnapshot, loadSnapshotIfExists, loadSnapshotWithMigrations, logError, logInfo, logSection, logSuccess, logWarning, mapZodArrayType, mapZodBooleanType, mapZodDateType, mapZodEnumType, mapZodNumberType, mapZodRecordType, mapZodStringType, mapZodTypeToPocketBase, matchCollectionsByName, matchFieldsByName, mergePermissions, mergeSnapshots, numberField, omitImageFilesSchema, parseSchemaFiles, pluralize, requiresForceFlag, resolveTargetCollection, resolveTemplate, saveSnapshot, selectField, selectSchemaForCollection, singularize, snapshotExists, textField, toCollectionName, unwrapZodType, urlField, validatePermissionConfig, validateRuleExpression, validateSnapshot, withIndexes, withPermissions, withProgress, writeMigrationFile };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map